Open Banking in Turkey
“The Regulation on Banks’ Information Systems and Electronic Banking Services” (the “Regulation”), which defines the concept “Open Banking” as an electronic banking service, was published in the Official Gazette dated 15 March 2020 and numbered 31069, to become effective on 1 July 2020.
What are the arrangements introduced by the Regulation in respect of Open Banking?
The Regulation defines the concept “Open Banking” as “An electronic distribution channel whereby the customers or the parties acting on behalf of the customers are able to carry out banking transactions or instruct the bank to perform banking transactions, by accessing remotely to the financial services provided by the bank by means of the methods such as API, web service, file transfer protocol”. The BRSA is granted authorization to determine the principles and procedures regarding these services.
Briefly, it is possible to express the concept “Open Banking” as sharing the customers’ financial data at banks with third parties within the consent of those customers.
In our Country, since the arrangement introduced in respect of the Open Banking system is new, the technical standards to be determined by the BRSA will specify the scope of this system and how it shall be implemented.
As the most significant innovations brought by the Regulation in respect of Open Banking system,
The Regulation prescribes that:
- While a two-component identity authentication is the main rule for Open Banking service, a one-component identity authentication may be performed provided that such identity authentication meets certain conditions;
- Banks may perform remote identification operations;
- The BRSA is authorized to determine the services that may be provided via Open Banking Services and the principles and procedures regarding these services.
For further information, the full text of the relevant Regulation is accessible at .
With the Open Banking System, the banks will henceforth be able to share with third-party companies the financial data (in brief, financial and digital behaviors e.g. credits used by persons or companies, information pertaining to the payments made, etc.) recorded for many years by those banks in relation to their customers, which sharing may henceforth take place under the consent that will be granted by their customers.
Through the application programming interfaces (“API”) provided by the banks, the bank customers will securely share their financial data with all the financial institutions in the network by means of the Open Banking system which provides access to their data in other financial institutions; and by this means, the bank customers will be able to carry out many transactions faster and at lower cost. On the other hand, other financial institutions, i.e. the financial institutions other than banks, will also get the chance to provide their customers with the products and services suitable for the needs of their customers.
Personal Data and Open Banking
One of the most significant innovations brought by the Regulation is related to the receipt of the customer’s express instruction, as introduced about “Sharing the Data”.
The following provision is prescribed: In the absence of the bank customer’s request provable in writing or through a permanent data storage medium, such bank shall not -other than the exceptional cases referred to in the Law- share with and transfer to third parties in the country and abroad the information of customer secret nature, which the bank obtains, stores or processes by means of information systems while performing its activities and in its all kinds of outsourcing.
Pursuant to this new provision introduced, it is seen that it is aimed to comply with the amendment made recently to the article 73 of the Banking Law. The mentioned article prescribes that, even in case the customer’s explicit consent is obtained, no sharing shall take place in the absence of the customer’s express instruction or request in this regard, other than the cases indicated as an exception to the confidentiality obligation.
Within this context, the principle will be to provide the customers’ financial information to third-party service providers under those customers’ consents.
In fact, the most significant issue giving rise to concerns on the part of customers about Open Banking is how the personal financial data will be used. According to the researches, it is seen that the customers mostly expect to be protected against fraud. Within this context, the banks’ obligations related to data security are enhanced further under the provisions introduced by the Regulation.
There is no doubt that Open Banking, as a dynamically developing field, will bring many innovations to our lives under the regulations that will be introduced by BRSA in the forthcoming days.
However, as the common point to be taken into consideration in this regard, the extent to which data privacy ensures effective protection by banks is crucial in respect of sharing our personal financial data with third parties and protection of the personal data pertaining to bank customers as the sector stakeholders.
There is no doubt that, with the advancing technology, the Open Banking structure will be put into practice as a new banking approach in Turkey in the forthcoming period and that it is a banking approach necessary to be monitored closely within the framework of the legal arrangements made and that it therefore constitutes a matter not to be overlooked.